Directory data services may provide directory data for a variety of clients and applications including user authentication, message delivery, and the application of group policies. Directory data services may serve a plurality of applications in which high throughput is important such as, for example, enterprise class messaging security. Applications and/or directory data services may use cached directory data to improve performance and to reduce a load on a directory server. Directory data may contain groups and distribution lists; for the purposes of this disclosure, a distribution list differs from a group only in that it has at least one email address to which messages can be delivered. A group may have multiple members, each of which could be another group (nested relationship) or ‘leaf’ entry, such as an entry to represent a user. Groups may be nested many levels deep. Application policies may be set at or bound to one or more groups within the directory server; we term a group bound to an application policy as a ‘group of interest’. To determine what policies apply to a user an application may have to traverse multiple levels of groups to identify members. During traversal, groups and users, which are not required to identify members of a group of interest, may be loaded into memory. These extra groups and users may add additional processing time and overhead when attempting to resolve group membership identities for a particular group. Additionally, refreshing group membership and related data structures in cache may add a significant burden to directory servers.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current directory technologies when used to determine of which groups a user or sub-group is a member.